Bug 2440903 (CVE-2026-26046)

Summary: CVE-2026-26046 moodle: Moodle: Improper Input Sanitization in TeX Filter Administration Setting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2440904    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-19 08:53:02 UTC 
An OS Command Injection vulnerability exists in Moodle’s TeX filter administrative configuration due to insufficient sanitization of input parameters processed by external utilities such as ImageMagick. A site administrator could supply crafted input that results in execution of arbitrary operating system commands. Successful exploitation allows full compromise of the Moodle server, including unauthorized access to data and service disruption. This issue affects sites where the TeX notation filter is enabled and ImageMagick is present.